Security Techniques for Virtualized Networks

虚拟化网络的安全技术

• 批准号: RGPIN-2018-05323
• 负责人: Matrawy, Ashraf
• 金额: $ 2.48万
• 依托单位: Carleton University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2020
• 资助国家: 加拿大
• 起止时间: 2020-01-01 至 2021-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=713591
• 关键词: Security; Techniques; Virtualized; Networks

The trend to move network management from hardware-based to software-based "virtualized" networks is rapidly getting stronger for economic, technical, and environmental reasons. In virtualized networks, hardware-based network nodes (routers, switches, firewalls, etc.) are replaced with software-based systems that are hosted in virtual machines in the cloud. There is a significant promise of cost reduction and higher resource utilization. Moreover, as this trend relies on software for setup and operation, virtualization is expected to expedite the processes of creating and changing computing and network services. It should also make it easier to create services that were not easily implementable in traditional infrastructures due to cost or scale. This area is of tremendous importance to supporting innovation and economic growth in Canada and elsewhere. Network virtualization will be prevalent in different types of networks: private, public, and hybrid. At the heart of this trend is a significant concern about information security while network elements do not obey the traditional security principles where a physical security perimeter could be established. This proposed research program investigates new techniques for securing virtualized infrastructures from a computer networking perspective. Building on my expertise and my ongoing research program that started with my first Discovery Grant in 2004, the proposed research program will pursue the following distinct themes: Threat modelling and defining an alternative security perimeter for virtual networks. In this theme, we will investigate the creation of a substitute for a security perimeter in software-based virtual networks. Building resilience to attacks into the design of virtualized networks. This gives these networks the ability to sustain attacks and continue to function at a certain level during attacks while other means of defences are being sought. Creating new security evaluation techniques for network applications in virtual networks to be able to assess the security impact of new network applications in these environments. This contributes significantly to fundamental network security research. These defences that emanate from within the network should stop the attacks closer to their sources and reduce attack amplification. Another important benefit of doing this research in creating resilient networking architecture rather than creating a new defence for every type of attack is the prevention of the arms-race situation that we are currently facing. By the time solutions and patches are created, new attacks are appearing again and creating an arms-race like situation. Finally, this program will provide a number of highly qualified personnel with network security skills that are much needed in many industries.

由于经济、技术和环境原因，将网络管理从基于硬件的“虚拟化”网络转移到基于软件的“虚拟化”网络的趋势正在迅速增强。在虚拟化网络中，基于硬件的网络节点（路由器、交换机、防火墙等）被托管在云中虚拟机中的基于软件的系统所取代。降低成本和提高资源利用率具有重大前景。此外，由于这种趋势依赖于软件进行设置和操作，因此虚拟化有望加快创建和更改计算和网络服务的过程。它还应该使创建由于成本或规模而在传统基础设施中不易实现的服务变得更加容易。该领域对于支持加拿大和其他地区的创新和经济增长至关重要。 网络虚拟化将在不同类型的网络中盛行：私有网络、公共网络和混合网络。这一趋势的核心是对信息安全的重大担忧，而网络元素不遵守可以建立物理安全边界的传统安全原则。这项拟议的研究计划从计算机网络的角度研究保护虚拟化基础设施的新技术。 基于我的专业知识和我自 2004 年获得第一笔发现资助以来正在进行的研究项目，拟议的研究项目将追求以下不同的主题： 威胁建模并定义虚拟网络的替代安全边界。在这个主题中，我们将研究在基于软件的虚拟网络中创建安全边界的替代品。 在虚拟化网络的设计中构建抵御攻击的能力。这使得这些网络能够承受攻击并在攻击期间继续在一定水平上运行，同时正在寻求其他防御手段。 为虚拟网络中的网络应用程序创建新的安全评估技术，以便能够评估这些环境中新网络应用程序的安全影响。 这对基础网络安全研究做出了重大贡献。这些来自网络内部的防御措施应该能够阻止攻击靠近其源头并减少攻击放大。进行这项研究创建弹性网络架构而不是为每种类型的攻击创建新的防御措施的另一个重要好处是防止我们目前面临的军备竞赛局面。当解决方案和补丁被创建时，新的攻击再次出现并造成类似军备竞赛的情况。最后，该计划将提供一批具有许多行业急需的网络安全技能的高素质人才。